CVE-2024-10525

Name
CVE-2024-10525
Description
In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/190
https://mosquitto.org/blog/2024/10/version-2-0-19-released/
https://github.com/eclipse-mosquitto/mosquitto/commit/8ab20b4ba4204fdcdec78cb4d9f03c944a6e0e1c

Match rules

CPE URI Source package Min version Max version
mosquitto >= 1.3.2 <= 2.0.18
cpe:2.3:a:eclipse_foundation:mosquitto:*:*:*:*:*:*:*:* mosquitto >= 1.3.2 <= 2.0.18
cpe:2.3:a:eclipse:mosquitto:*:*:*:*:*:*:*:* mosquitto >= 1.3.2 < 2.0.19

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
mosquitto 3.20-main 2.0.18-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
mosquitto 3.19-main 2.0.18-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
mosquitto 3.18-main 2.0.18-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
mosquitto 3.17-main 2.0.15-r1 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable